Brillaint Answer

Active Directory 20

5 Assignment – Active Directory Design and Active Directory Implementation

Introduction

The assignment for week three called for the creation of a document that “will specify organizational Active Directory design, and develop and implement Active Directory as per organizational standards and policies” (UMUC, n.d.). According to the assignment document (UMUC, n.d.), this section must include but is not limited to:

· Create Active directory policies to include recommended features

· Create and implement forest named WWTC.com

· Create OU for each Department under forest WWTC.com.

· Link WWTC.com to headquarters.

· Create Global, Universal, Local groups for each domain. Each global group will contain all users in the corresponding department. Membership in the universal group is restrictive and membership can be assigned on the basis of least privileged principle. (For design purpose, you can assume that WTC as a Single Forest with multiple domains).

· Create GPO and GPO policies (All domains will be serviced and managed by IT staff at World-Wide Trading Company

The network details were generated from the information provided in the Case Study World Wide Trading Company (WWTC) document. (UMUC, n.d.)

WWTC Forest

The Active Directory simplifies the users and resources management. The elements of the active directory include scalability, manageable infrastructure and secure resources allocation. Active directory also has an additional important and utilize emerging technologies. Even though an active directory is not a special directory, it plays a variety of roles within the organizations, (Microsoft, 2014). Therefore, the important designs for active directory that involve deployment decisions facilitation creation, establishment and deployment of Active Directory Forest.

Create and implement forest named WWTC.com

The Active Directory of an enterprise is a service directory that stores and manages information of a network resource. Network infrastructure administrators use the active directory as a data base to manage enterprise resources such as computers, users, hardware and software resources. Domain and Forests are the two main elements that form a logical and physical infrastructure of an enterprise network database. Important to note is that an enterprise may comprise of one to several, on average three domains and forests. In the case of World-Wide Trading, (WWTC), this enterprise will require one forest and one domain for the New York enterprise even though there will be room for several domains. The aim of this paper is to create and implement a forest named WWTC.com, create OU for each Department under forest WWTC.com and link the WWTC.com to headquarters, (Microsoft, 2014).

When creating a forest named WWTC.com, the scope and focus of will be developing an active directory that offer service deployment in a straightforward and easy to use network infrastructure. The role of the forest is to contain one or more domains while centering on defining and managing infrastructure that has a central administrative roles and responsibilities. Active Directory is a forest containing multiple domains. Multiple domains arranged in the forest assist in avoiding data replication. When designing a forest, the administrator is responsible for completing domain design for the WWTC. The elements of the domain include the forest root domain, the name of the domain, the scope of the domain and the number of users that will be using that domain. The network infrastructure developers should also create and plan a schedule for upgrade. In WWTC, the scope of the forest has already been defined. The number of users for this forest is approximately 4,000, the name of the domain will be WWTC.com and the forest root domain will be WWTC, (Microsoft, 2014).

Being an enterprise with global business and with objectives of growth, the forest domain for this organization will be dedicated in terms of design. The purpose of using a dedicated forest domain includes the following:

· Employability of few network infrastructure administrators, but who are capable of making unlimited forest-wide changes.

· Ability to replicated forest database backup

· Avoiding obsolete resources

· Ownership of a forest domain is easily transferred. This will happen only if the it will reach a point that the current business plan will not be favorable.

Active Directory Forest

Domain

WWTC.com

Domain container 2 and the 3rd container replication maybe present.

Figure 1: Active forest directory with domain container and sub domains containers in a two way transitive relationship.

Create OU for each Department under forest WWTC.com.

Organizational units (OUs) are contained under the second domain and subsequent domain in the active directory forest. OUs are key elements in the forest domain. While the top level of the active directory contains a forest, the domains come second. OUs are third and are contained within the domains. The organization of these three elements, are called the logical model of network infrastructure. OUs within an enterprise organization assist in delegating administrative activities within the network infrastructure, (Microsoft, 2014). Administrative activities include creating and developing group policies as well as restricting visibility.

Within the WWTC in New York organization, OUs are created and developed after the main forest domain infrastructure is complete. Within IT’s best practices, OUs are modeled within the domain and reserved for internal operational managers. Organizational units are defined as departments and each department is required to manage its own object within the larger domain. While the IT staffs are tasked with managing the overall configuration of the domain, OUs are managed by the OU owners. Therefore, the OU owners have skills and expertise similar to those of domain managers. The tasks of the OU owners include making periodic changes to the OU structure that reflect changes in the domain, support organizational business and network policies. Another important characteristic of the OU is that they are designed to easily change. While OU has been defined, its elements include and are not limited to other OUs, users, groups and computers and other hardware objects, (Microsoft, 2014). The OU and sub-OUs are designed to form a structure within the domain that is primarily used for management processes. OUs have no limitation on their number within a domain, but require extensive updates and extensive resources to make these updates. However, because of the best IT practices the WWTC will not create OUs that are more than ten levels. Best practice OU model for WWTC is explained in the figure below:

In the OU model used above, the Active Directory default containers include two elements namely users and their computer terminal containers, and domain controllers of OU. The principle behind interconnecting system containers under several OUs is that, enterprises such as the WWTC require high performance and highest percentage of uptime. Also, the nature of the business require the highest level of security suggesting that major scheduled system upgrades will be required. When there will be an upgrade, OU from one domain container will be moved to another domain container. The old system of the active forest domain requires manually moving users from the domain, which is due to upgrade to another domain to continue executing their task. However, today, the new forest domain, such as the domain, which WWTC is going to use, will not require physically moving users to another location.

Link WWTC.com to headquarters

To link the WWTC organization in New York and the headquarters in Hong Kong require Key Distribution Center (KDC) topography, borrowed from Kerberos authentication service. The KDC topography, depending on the domain services that will be provided has intelligence to detect and balance shortcut trusts across the geographical locations of the soon to be linked domains. Linking domains across distant geographical locations requires non interactive connections. The non-interactive connections require that before WWTC in the U.S. employee access resources located in the headquarters in Hong Kong, trust authentication will be required, (Microsoft, 2014).

The process of accessing resources connected in two geographical locations identified with two different domains requires a valid tick when talking over valid KDC. The company’s main domain is WWTC.com. The U.S. domain is us.WWTC.com and the China domain is cn.WWTC.com. These two geographically different locations both access resources from the main domain. The forest infrastructure interconnects the domains within the same geographic region with interactive network, but when connecting with a geographically different region, the non-interactive network is used hence the process of ticketing employees to access resources in different countries. It is common to see the network infrastructure using referral ticket with reference to referral interconnections. Both the main domain connection and the interconnection between sub domains located in geographically different locations must request permission to communicate with each other from the main domain, (Microsoft, 2014).

In addition to ticket referral when trying to access resources within different geographical locations, another method of ticket-granting ticket (TGT) may be applied. The principle behind using this ticketing system is that some domains may not have permission to access other domains. For example, the U.S. domain may not have permission to access the China domain even though the China domain can access the U.S. domain. When this restriction is available, it means that one of the domains is authoritative while another one is less authoritative. To enhance communication the KDC Kerberos trust relationship is used.

Global Universal and Local Groups

Active Directory is used within a network environment to simplify the administration of users, computers, devices and the general network itself. While it takes a lot of time and effort to implement a new AD design, the time saved and ease of administration while supporting the network is the payoff. One way that AD eases administration is by the use of groups. Groups allow an administrator to easily manage large groups of users or computers by moving users or computers within these groups. If a new hire within the company is joining the accounting department, you can just add them to the accounting department rather than applying each policy to the user. This is fast and simple. It is important to plan out your design.

There are three types of groups within AD: Universal, global and domain local. Universal Groups are stored and replicated to all global catalogs within the forest, which allows it to cross domain boundaries. Global groups replicate to all domains, “but can only contain users and computer accounts from the domain that the global group is created in” (Minasi, 2014). The local group is only used within the domain it was created, but can contain global and universal groups.

For the design of WWTC, we will be using the following Universal groups:

· President_U

· VPs_U

· CEOs_U

· Managers_U

· Brokers_U

· Staff_U

· ITSupport_U

· Operations_U

· IT_U

· Finance_U

· HR_U

· Workstations_U

· Printers_U

· Servers_U

We will create the following Global Groups:

· President

· VPs

· CEOs

· Managers

· Brokers

· Staff

· ITSupport

· Operations

· IT

· Finance

· HR

· Workstations

· Printers

· Servers

We will create the following Domain Local Groups:

· President_Resources

· VPs_Resources

· CEOs_Resources

· Managers_Resources

· Brokers_Resources

· Staff_Resources

· ITSupport_Resources

· Operations_Resources

· IT_Resources

· Finance_Resources

· HR_Resources

Once these groups are created, we can begin to organize the users in a way that will allow us to restrict permissions via the domain local groups, but easily add domains and allow users to access resources across the domains and forest as they need to via the universal groups.

By creating the appropriate groups, administration of the forest will be simple group movements in order to apply the proper permissions and restrictions on the appropriate groups. In order to have the most control over the domain, we will put the accounts (users and computers) into the Global groups, the global groups will be put into the appropriate Universal Groups. Then the Universal Groups will be put into the appropriate Domain Local groups, where the necessary domain restrictions and permissions can be applied.

Active Directory Policy

Encryption

One of the most effective measures against data being compromised is to use different methods of encryption to make it more difficult, and often impossible to recover data even if it is compromised by a malicious user. By implementing the following Group Policies for the Computer and Server OU’s we can ensure that every computer on the network is encrypting data when not being accessed:

BitLocker

1. Enforce drive encryption type on fixed data drives – Utilize Full Disk Encryption option, skips encryption options page for user.

Policy Path = Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Fixed Data Drives

2. Allow network unlock at startup – Automatically unlock the protected operating system drive on startup

Policy Path = Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives (Microsoft, 2007).

BranchCache

1. Use Group Policy to Configure Domain Member Client Computers = Turns on BranchCache.

Policy Path = Computer Configuration, Policies, Administrative Templates: Policy definitions (ADMX files) retrieved from the local computer, Network, BranchCache. (Microsoft, 2012).

2. Windows Server 2012 encrypts the cache by default for BranchCache. (Microsoft, 2015).

Failover Clustering

Failover clustering is a new feature provided with Windows Server 2012 and 2012 R2. It allows you to link multiple servers together to work in concert, and if one experiences a catastrophic failure, the others can take over immediately. This is a recommended feature for WWTC to ensure high availability as well as scalability. To enable this feature, it simply needs to be added under Add Roles and Features, Role-based or feature-based installation, select the destination server, select server roles, and select features and then select Failover Clustering. Add this on all servers you wish to include in the cluster. (Windows, 2013).

File Server Resource Manager

File Server Resource Manager, or FSRM is "a suite of tools that allows administrators to understand, control and manage the quantity and type of data stored on their servers." (Microsoft, 2007). An important recommended tool that is controlled by FSRM, is called File Classification Infrastructure. This gives the administrator the ability to store files based on how important to the business they are or what impact they would have if they were lost. One example is taking files with social security numbers and classify this document as Personally Identifiable Information. (Savill, 2013). To install FSRM, open control panel, click Add or Remove Programs, click Add/Remove Windows Components. In the Windows Components Wizard, select the Management and Monitoring Tools and select Details. Click Next and then Finish.

IP Address Management (IPAM)

An IP Address Management (IPAM) server can offer better management of your network resources by offering the following features: Address Space Management, Virtual Address Space Management, Multi-Server Management, Network Auditing and Role-based access control. The Address Space Management and Virtual Address Space Management tools enable you to have oversight of all of your IP addressing and view statistics like usage, find and resolve conflicts and is compatible with IPv4 and IPv6. The Multi-Server Management tool allows you to manage all of the DHCP and DNS servers from one location, and can automatically locate all of them across the entire forest. With Network Auditing, you can track users, IP addresses and their devices, configure reports, view changes to IPAM and resolve conflicts. It also offers Role-based management to delegate duties to other IT professionals. The IPAM software needs to be installed on a domain member and cannot be installed on an AD Domain Controller. They can be deployed in 3 different ways: Distributed, Centralized and Hybrid. Distributed has an IPAM server at each site. Centralized has one for the enterprise. And Hybrid has one central server with other servers at each site. (Microsoft, 2014).

Smart Cards

In order to provide the most secure protection for the network, it is recommended to use a two-factor authentication system, which in this case should be a smart card issued to employees and a PIN which the user will create and remember. By having two factor authentication, the user must meet the requirements of something they have, and something they know. This will give an attacker less chance of having both pieces of the security puzzle. The Smart Card setup requires a PKI or Public Key Infrastructure for the card to work. The private keys on the smart cards must match a user in Active Directory. The certificates are mapped to a user account and allows you to force interactive logon and other features. Group Policy can be used to push policies across different OU’s. Administrative tasks can be delegated in Active Directory to help with management. (Microsoft, 2007).

Active Directory Group Policy

WWTC mentioned several improvements they would like to have completed within their new Active Directory additions. Most of the features to be implemented are security related that must be enforced through Windows Server 2012 group policies (GPO). The WWTC Company policy was created to work in conjunction with the Default Domain policy. The key security feature that was requested to be configured was BitLocker requirements at the pre-boot level of WWTC’s computers. In addition, policies were put in place to allow BitLocker encrypted machines to automatically unlock itself when physically connected to the network. The next GPO setting configured involved enabling the BranchCache service. A list of key policies have been applied for BranchCache to run in hosted mode, which includes the use of the Background Intelligence Transfer Protocol Service (BITS). The offline GPO settings is used to enforce two data security requirements, preventing end-users from storing data offline and to encrypt data that has been cached on a computer. Smart Card GPO settings are set to control how an end-user’s smart card interacts with the computer, what type of certificates are allowed for use with the smart card, and what prompts will be received in regards to the smart card. Lastly, the file classification GPO settings enables the use of automated rules to classify a file’s sensitivity using a predetermined set of properties, while also presenting custom notification for denied access to any files or folders.

Default Domain Policy GPO

Password Policy GPO Settings

Enforce password history = 6

Maximum password age = 60

Minimum password age = 15

Minimum password length = 12

Password must meet complexity requirement

Store passwords using reversible encryption for all users in the domain

Account lockout duration = 15

Account lockout threshold = 3

Reset lockout counter after = 15

Account Audit GPO Settings

Audit account logon events = success / failure

Audit account management = success / failure

Audit directory service access = success / failure

Audit logon events = success / failure

Audit object access = success / failure

Audit policy change = success / failure

Audit privilege use = success / failure

Audit process tracking = success / failure

Audit system events = success / failure

User Access Control (UAC) GPO Settings

User Account Control: Admin Approval Mode for the Built-in Administrator account = enabled

User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode = prompt for consent on the secure desktop

User Account Control: Behavior of the elevation prompt for standard users = prompt for credentials

User Account Control: Detect application installations and prompt for elevation = enabled

User Account Control: Only elevate executables that are signed and validated = enabled

User Account Control: Run all administrators in Admin Approval Mode = enabled

User Account Control: Switch to the secure desktop when prompting for elevation = enabled

User Account Control: Virtualize file and registry write failures to per-user locations = enabled

WWTC Company Policy GPO

BitLocker Policy GPO Settings

Choose drive encryption method and cipher strength = enabled; AES 256-bit

Allow enhanced PINs for startup = enabled

Use enhanced Boot Configuration Data validation profile = enabled

Choose how BitLocker-protected operating system drives can be recovered = enabled; store in AD DS

Enforce drive encryption type on operating system drives = enabled; full disk encryption

Require additional authentication at startup = enabled; TPM with Pin

Allow network unlock at startup = enabled

Configure minimum PIN length for startup = enabled; min. 6 characters

Configure use of hardware-based encryption for operating system drives = enabled

Allow Secure Boot for integrity validation = enabled

Configure TPM platform validation profile for BIOS-based firmware configurations = enabled

Configure TPM platform validation profile for native UEFI firmware configurations = enabled

System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing = enabled

System cryptography: Force strong key protection for user keys stored on the computer = user is prompted when key is first used

BranchCache GPO Settings

Turn on BranchCache = enabled

Set percentage of disk space used for client computer cache = enabled; 15%

Set BranchCache Hosted Cache mode = enabled

Configure BranchCache for network files = enabled

Enable Automatic Hosted Cache Discovery by Service Connection Point = enabled

Configure Hosted Cache Servers = enabled

Set age for segments in the data cache = enabled; 15 days

Timeout for inactive BITS jobs = enabled

Limit the maximum BITS job download time = enabled; 5 days

Limit the maximum network bandwidth for BITS background transfers = enabled

Set up a work schedule to limit the maximum network bandwidth used for BITS background transfers = enabled

Set up a maintenance schedule to limit the maximum network bandwidth used for BITS background transfers = enabled

Allow BITS Peercaching = enabled

Limit the age of files in the BITS Peercache = enabled; 10 days

Limit the BITS Peercache size = enabled; 10%

Limit the maximum network bandwidth used for Peercaching = enabled

Set default download behavior for BITS jobs on costed networks = enabled

Limit the maximum number of BITS jobs for this computer = enabled

Limit the maximum number of BITS jobs for each user = enabled

Limit the maximum number of files allowed in a BITS job = enabled

Limit the maximum number of ranges that can be added to the file in a BITS job = enabled

Hash Publication for BranchCache = enabled

Hash Version support for BranchCache = enabled; value of 3

Offline (Cache) Encryption GPO Settings

Default cache size = enabled; 15%

Allow or Disallow use of the Offline Files feature = enabled

Encrypt the Offline Files cache = enabled

Event logging level = enabled

Files not cached = enabled

Action on server disconnect = enabled; never go offline

Prevent use of Offline Files folder = enabled

Prohibit user configuration of Offline Files = enabled

Remove "Make Available Offline" command = enabled

Remove "Make Available Offline" for these files and folders = enabled

At logoff delete local copy of user’s offline files = enabled

Limit disk space used by Offline Files = enabled

Smart Card GPO Settings

Interactive logon: Do not display last user name = enabled

Interactive Logon: Display user information when session is locked = name only

Interactive logon: Machine account lockout threshold = 3 attempts

Interactive logon: Machine inactivity limit = 7 minutes

Interactive logon: Message text for users attempting to logon = TBD

Interactive logon: Message title for users attempting to logon = TBD

Interactive logon: Number of previous logons to cache (in case domain controller is not available) = 1 logons

Interactive logon: Prompt user to change password before expiration = 15 days

Interactive logon: Require smart card = enabled

Interactive logon: Smart card removal behavior = lock workstation

Allow certificates with no extended key usage certificate attribute = enabled

Filter duplicate logon certificates = enabled

Allow signature keys valid for Logon = enabled

Turn on certificate propagation from smart card = enabled

Configure root certificate clean up = enabled

Turn on root certificate propagation from smart card = enabled

Display string when smart card is blocked = enabled

Prevent plaintext PINs from being returned by Credential Manager = enabled

Allow user name hint = enabled

Turn on Smart Card Plug and Play service = enabled

Notify user of successful smart card driver installation = enabled

Allow ECC certificates to be used for logon and authentication = enabled

File Classification GPO Settings

File Classification Infrastructure: Display Classification tab in File Explorer = enabled

File Classification Infrastructure: Specify classification properties list = enabled

Customize message for Access Denied errors = enabled

Enable access-denied assistance on client for all file types = enabled

(Microsoft, 2015)

References

Microsoft. (Apr 30, 2007). Windows BitLocker Drive Encryption Step-by-Step Guide. Retrieved from https://technet.microsoft.com/en-us/library/c61f2a12-8ae6-4957-b031-97b4d762cf31

Microsoft. (Jul 25, 2012). Use Group Policy To Configure Domain Member Client Computers. Retrieved from https://technet.microsoft.com/en-gb/library/jj572988.aspx#bkmk_gp

Microsoft. (Oct 19, 2015). BranchCache Overview. Retrieved from https://technet.microsoft.com/en-us/library/hh831696.aspx

Microsoft. (Nov 1, 2013). Create a Failover Cluster. Retrieved from https://technet.microsoft.com/en-us/library/dn505754.aspx

Microsoft. (Apr 25, 2007). Introduction to File Server Resource Manager. Retrieved from https://technet.microsoft.com/en-us/library/cc755670%28v=ws.10%29.aspx

Microsoft. (April 15, 2014). IP Address Management Overview. Retrieved from https://technet.microsoft.com/en-GB/library/hh831353.aspx#ASM

Microsoft. (2007). The Secure Access Using Smart Cards Planning Guide. Retrieved fromhttps://www.microsoft.com/en-us/download/confirmation.aspx?id=4184

Microsoft (2015, November 23). Group Policy Settings Reference for Windows and Windows Server: Windows 8.1 Update and Windows Server 2012 R2 Update 1 .xlsx. Retrieved February 22, 2016, from https://www.microsoft.com/en-us/download/details.aspx?id=25250

Microsoft, (2014). What are Domains and Forests? TechNet. Retrieved on February 22, 2016 from https://technet.microsoft.com/enus/library/cc759073(v=ws.10).aspx#w2k3tr_logic_what_ovkc

Minasi, M. (2014). Mastering Windows server 2012 R2 (1st ed.).

Savill, J. (May 29, 2013). Windows Server 2012 File Classification Infrastructure. Retrieved from http://windowsitpro.com/windows-server-2012/windows-server-2012-fci

UMUC. (n.d.). Case Study World Wide Trading Company. Retrieved February 22, 2016, from https://learn.umuc.edu/d2l/le/dropbox/173660/290354/DownloadAttachment?fid=4908850

UMUC. (n.d.). WWTC Office Layout. Retrieved February 22, 2016, from https://learn.umuc.edu/d2l/common/viewFile.d2lfile/Database/NDkwODg1NA/WWTC Office Layout.png?ou=173660

UMUC. (n.d.). Active Directory Design and Implementation Assignment. Retrieved February 22, 2016, from https://learn.umuc.edu/d2l/common/viewFile.d2lfile/Database/NDkwODg1OQ/Security Policy and Security Design Assignment.docx?ou=173660